Inside the “wiper” malware that brought Sony Pictures to its knees [Update]

Details of malware that may have been associated with the attack on Sony Pictures were disseminated in an FBI “Flash” earlier this week. A copy of the memorandum obtained by Ars Technica details “a destructive malware used by unknown computer network exploitation (CNE) operators” that can destroy all the data on Windows computers it infects and spread itself over network file shares to attack Windows servers.

Meanwhile, Re/code reports that Sony is ready to announce that the company has attributed the attack on its network to North Korea, according to sources at the company. Given the details of the malware and its similarity to an attack on South Korean companies last year, a tie to North Korea seems possible, though the people taking credit for the attack claim it was motivated by Sony Pictures’ alleged discrimination in the layoffs and firings of employees during a corporate reorganization started earlier this year.

The malware used in the attack, which has been described by a Sony spokesperson as “very sophisticated,” is almost certainly the same as that identified in the FBI memo. That malware uses Microsoft Windows’ own management and network file sharing features to propagate, shut down network services, and reboot computers—and files named for key Windows components to do most of the dirty work of communicating with its masters and wreaking havoc on the systems it infects.

Read 14 remaining paragraphs | Comments

Behavior Analysis Stops Romanian Data-Stealing Campaign

In a recent press announcement, McAfee and Europol’s European Cyber Centre announced a cooperation of our talents to fight cybercrime. In general these joint operations are related to large malware families. Writing or spreading malware, even in small campaigns, is a crime. McAfee Labs doesn’t hesitate to reach out to its partners and contacts in CERTs and law enforcement. In the following case, a new Romanian-based data-stealing campaign was caught early due to behavioral and data analytics.

In our sample behavioral database, we found a new site hxxp:// Visiting the link revealed an open directory that allowed us to browse the content:


Often we observe that malware authors become overzealous in attacking victims, and forget to protect their own malware servers. Despite this campaign’s effectiveness, the malware authors took very little care to ensure that they themselves were not breached.

The binaries, which help us to understand how this campaign works, are injector.exe and blurmotion.exe. As the name suggests, injector.exe compromise the victim’s system via code injection in Internet Explorer. It first disables the firewall to ensure a smooth connection to the malware control server.


With the help of the mget command, the malware connects control site and downloads the payload blurmotion.exe.


The fact that the malware site doesn’t use any authentication makes sense because it leads to a swift connection between the victim and the attacker. Once the payload is downloaded, the batch file root.vbs takes over. This batch file is dropped by injector.exe and ensures that blurmotion.exe is executed.


We see the use of wscript.sleep 30000, which makes sure no activity happens for 5 minutes. This could be an attempt to deceive malware analyzers that the sample won’t do anything. Necessary run entries make sure root.vbs runs. After that a misspelled “restartt” is forced.


After this step, the system goes into a forced restart, and by this time the work of injector.exe (to download and install the payload) is done. From here the payload takes over. Blurmotion.exe, like its parent, drops a batch file to perform malicious activities.


Blurmotion takes the username of the victim and dumps all the processes running in the victim’s system with the name %usename%.ini.


Once the stolen data is logged, the malware uploads it to the control server via the mput command. We can see “echo cd BM” used in commands. This is the same BM folder on the malware control server that stores the logs of all victims. Like the payload, this stolen data is exposed to anyone who finds the malware control server. Our test virtual machine “victim” was named Klone, and we found it quickly uploaded on the control server.


The size of Klone.ini is zero because we had reverted to the virtual machine before the malware could steal data. In all the other infected user logs, we can see the malware executable blurmotion.exe running, confirming that those systems had been compromised.


We can also see repeated connections made to a specific site (, possibly an attempt to increase its traffic. The author is so aggressive that he or she even tried to overclock the CPU to bring more traffic to this site.


The author succeeded in these attempts. In our internal behavioral database we found a lot of redirects to this site.

McAfee detects these payloads as Rodast. McAfee SiteAdvisor also warns against connecting to this site:



Because the campaign was based in Romania, McAfee Labs contacted the Romanian CERT. After we discussed the approach and strategy with them, the Romanian team took the appropriate actions, and gave us permission to publish our analysis of the campaign in this article.

Malware authors sometimes act carelessly, and assume that they are safe if no one detects them. But data from behavioral analysis, along with cooperation with CERTs and law enforcement, can find live campaigns and stop them.

The post Behavior Analysis Stops Romanian Data-Stealing Campaign appeared first on McAfee.

Sony Pictures Hacked – Employee Details & Movies Leaked

Sony hasn’t always had the best of times when it comes to being hacked, back in 2011 Sony basically had to rebuild the PlayStation Network (PSN) because of a hack which rendered the service off-line for almost a whole week. Plus the fact the PSN hack could have leaked up to 10 million user accounts [...] The post Sony Pictures Hacked...

Read the full post at

Smart security for today’s smart homes: Don’t let attackers spoil your Christmas

Many smart home solutions contain flaws that could allow attackers to access your network and potentially compromise your home’s security
Twitter カードのスタイル: 

Contributor: Mario Ballano

With the holiday season around the corner, thoughts turn to a warm home brightened up by the twinkle of seasonal decorations. If you’re a geek like me, it’s always tempting to opt for the high-tech solution and control your festive lights with one of the growing number of home automation devices available. However, Symantec has found that some of these devices contain security flaws that could allow attackers to gain access to your home network. 

Two home automation hubs tested by Symantec had multiple security flaws that could potentially allow attackers to gain access to the hubs themselves and, by extension, to other devices connected to them. The issues aren't specific to these particular hubs; any connected device is potentially at risk. Many more smart home devices potentially have similar security flaws. 

While the explosion of internet-enabled devices, known as the Internet of Things (IoT), holds exciting possibilities for home automation, it also presents some serious security challenges and home users need to be aware that it isn’t just their PCs or smartphones that could be compromised by attackers. 

A Pandora’s Box  
There is a huge range of smart home devices that could find their way into your house this holiday season:

  • Smart power plugs to control Christmas lights
  • CCTV cameras to catch Santa’s visit
  • Smart smoke detectors in case the Christmas tree catches fire
  • Smart entertainment systems, allowing the festive music to follow you from room to room
  • Smart thermostats to keep your home nice and warm
  • Smart door locks to keep unwanted guests out
  • Security alarm systems to keep your home safe while on vacation

Many of these smart home devices connect wirelessly to a central hub which lets you manage them all  from a smartphone or web browser. Apart from Wi-Fi, smart home devices use a wide range of communication protocols, such as Powerline, Z-Wave, Zigbee, in addition to custom radio protocols. We started our analysis with two smart power plug and hub combinations.

Smart hubs and security
The first hub we looked at uses Wi-Fi and its own radio protocol for communication. To ensure that the hub is running the latest version of its firmware, it periodically checks the internet for firmware updates. This is a good practice, as users are unlikely to manually update their IoT devices themselves and could potentially fall foul of unpatched, exploitable vulnerabilities.

However, in this case, the firmware updates were not digitally signed and were downloaded from an open Trivial File Transfer Protocol (TFTP) server. This could allow an attacker on the same network to redirect the device to a malicious TFTP server. There are several means of doing this such as through Address Resolution Protocol (ARP) poisoning or by changing the domain name system (DNS) settings. The TFTP server could then send a malicious firmware update to the device. If this happens, then the complete setup would be compromised and other connected devices could be attacked, as the attacker would have full control over the hub. 

This same smart hub uses a custom radio transmission protocol for sending commands to connected devices without any additional authentication or security implementation. Unfortunately, this allows for successful replay attacks. These are very simple attacks which allow an attacker within range of the network to intercept some of the traffic and then replay it back over the network. For example, a signal to open a garage door captured while you are leaving the house could be used again later in the day to gain access. The same can be done for turning on or off lights. The attacker doesn’t even need to understand the protocol, they simply have to capture the signal used to issue a command a replay it. 

The user can store this hub’s configuration details in a cloud service, allowing them to manage the device from the internet through any web browser. Unfortunately, the user’s account is protected by a simple, four-digit PIN code. This can be easily cracked with the tools available to today’s attackers. 

Apart from the problem of an attacker guessing the PIN code (especially considering how “1234” is a common, unsecure PIN choice for many users), there are other issues with this particular cloud service. We discovered that the backend server is susceptible to a blind SQL injection attack. This could potentially reveal other users’ configuration details or may even let the attacker take control of other accounts. This could let the attacker switch off Christmas tree lights, or worse, without even being close to the house.

Unfortunately, the second smart home hub that we tested was not much better. This one did not use any authentication method for commands that were sent in the internal network. If an attacker is on the same Wi-Fi network as the hub, then they could gain control of any device connected to the hub. They could even go a step further, as the hub had a remote code execution vulnerability, allowing the attacker to execute arbitrary commands with root privileges on the hub.

Risks to your smart home
These hubs are just two examples of what we managed to compromise in a short space of time and are the latest in a long line of security flaws found in smart home devices. For example, there have been cases where people modified the thermostat of their ex-spouse or disabled security locks. Recent reports warned of how thousands of webcams and baby monitors are accessible to anyone from the internet. There have also been reports of people taking control of home automation systems belonging to others.

In general, we have found that smart home device sensors can be attacked directly, for example by modifying the firmware through physical access to the device’s JTAG interface. The attackers could then sell the modified device to someone else, potentially compromising other devices or networks in their home. 

Depending on the Wi-Fi network’s security settings, attackers could intercept communications from an IoT device to the central hub, smartphone, or the cloud and inject their own commands. 

Additionally, if a backend cloud server is used for remote administration, this part also needs to be protected. Attackers could attempt to brute-force passwords to gain access to this server.

You may say that switching someone’s lights on and off is not such a big deal. This may be true, but the effects of a smart home attack are more relevant to security when you are on vacation. Some people may use remote-controlled lights to pretend that someone is still at home to keep burglars away. Smart thieves could also use open IP webcams to check if the owners are at home and where their valuable items are. 

Another possible avenue for attackers to explore would be to apply the proven-to-work model of ransomware to the smart home. The homeowner could be coerced to pay a ransom in order to turn up the heating or even just to watch TV. This is a creepy potential paradise for stalkers, burglars, and other shady characters.

Smart protection
You should be vigilant when installing smart home devices and make sure that you understand the devices’ configuration settings. We at Symantec will keep our eyes open on the smart home device market and continue to inform vendors about discovered weaknesses in the devices we study.

Security varies a lot with different smart home devices, so it is difficult to give generic advice to users. Here are a few points to consider when installing smart home devices:

  • Only enable remote administration from the internet if you really need it
  • Set a strong password for the devices where possible
  • Use strong passwords and WP2 encryption to protect your Wi-Fi network
  • Use trusted smart home brands from companies that invest in security